Hey all,
So here's the run:
sudo bro -C -r ../captures/email.pcapng /usr/local/bro/share/bro/policy/frameworks/intel/seen/smtp-url-extraction.bro
and list of files generated:
-rw-r--r-- 1 root root 12419 Aug 7 10:18 conn.log
-rw-r--r-- 1 root root 0 Aug 7 10:18 debug.log
-rw-r--r-- 1 root root 12586 Aug 7 10:18 files.log
-rw-r--r-- 1 root root 253 Aug 7 10:18 packet_filter.log
-rw-r--r-- 1 root root 39557 Aug 7 10:18 smtp.log
-rw-r--r-- 1 root root 7936 Aug 7 10:18 ssl.log
-rw-r--r-- 1 root root 8608 Aug 7 10:18 x509.log
For the life of me I'm unable to find where the links might be at. One of the links in the pcap has 88EX336W4062X11N55206638L1122194955 in it...this string shows up no where in any of the logs...is there a step I'm missing with this? Thank you.
James